Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Allow trusted apps to perform cookie login. #612

Merged
merged 1 commit into from
Jan 11, 2024

Conversation

Kelketek
Copy link
Member

Description

This pull request allows Oauth applications with the 'skip_authorization' flag to use the cookie login view. This view is used to grant a session cookie as though the user had logged in directly with their username and password. This functionality already works with 'Resource Owner Password Based' grants.

Previous discussion as to why this view was only permitted for Resource Owner Password Based grants pointed toward the need to support third party applications but not allow them to leapfrog privileges.

However, for applications which have the 'skip authorization' flag set, no restrictions on scope are enforced, as the application is permitted to grant itself all scopes without requiring the user's explicit authorization. This kind of power already nearly mirrors cookie login, however some endpoints on the platform are unable to support non-cookie functionality, such as the loading of units and XBlocks.

Supporting information

Slack Thread on the current limitation.

Testing instructions

The easiest way to test is to run the software tests via the devstack using:

pytest openedx/core/djangoapps/auth_exchange

But to test it more practically, you would need to:

  1. Create an Oauth Application in the Django admin that uses a grant type of Authorization
  2. Use a client OAuth app with the new application credentials to log in
  3. Have the authenticated client post to /oauth2/login/ on the LMS
  4. Verify that the cookie was set and a successful status code (204) was returned.

Deadline

"None" if there's no rush, or provide a specific date or event (and reason) if there is one.

Other information

This change has some implication for security. While it is of the author's opinion that any application which has the 'skip_authorization' flag set should be considered a trusted application anyway, since it can grant all scopes (and thus has the full power of the API available to the user) any application with this flag may as well be able to log in via cookie.

However that does not necessarily mean that deployments are set up with this assumption. It is conceivable that there could be misconfigured applications that would have the ability to login that otherwise wouldn't, and which would have additional powers unexpected. It seems unlikely that these powers would be especially material, since full privileged API access is already so vast.

@Kelketek Kelketek force-pushed the fox/port-oauth-trust-fix branch from d930b29 to b058c45 Compare December 15, 2023 23:20
@Kelketek Kelketek force-pushed the fox/port-oauth-trust-fix branch from b058c45 to d9b5f81 Compare December 18, 2023 20:47
Copy link

@mavidser mavidser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Rant the tests and tried an OAuth application - they work as expected.

@Kelketek Kelketek merged commit fc9543a into opencraft-release/palm.1 Jan 11, 2024
41 checks passed
@Kelketek Kelketek deleted the fox/port-oauth-trust-fix branch January 11, 2024 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants